A port scan that is initiated from a monitored host can be detect by monitoring Windows Filtering Platform event id 5156https://system32.eventsentry.com/security/event/5156 and applying a threshold filter. Sysmon cannot be used to detect port scans since it only logs successfully established connections. 1. Enable auditing to ensure that ...

KB-ID 508
Category: Security
Applies to: 5.1.1 and later

The EventSentry service uses Microsoft39s LDAP library to resolve GUIDs from Active Directory at startup and during runtime. The port number will vary on different machines and might change during runtime. The Microsoft LDAP library opens up both a TCP and UDP connection upon initialization and connection to the nearest domain controller. T...

KB-ID 148
Category: Security

By default the EventSentry agent runs under the LocalSystem account which has unrestricted access to Operating System resources which ensures that all components of the system can be monitored accurately. You can change the account the agent is running under through the Services application in the Administrative Tools but some manual conf...

KB-ID 184
Category: Security
Applies to: All Versions

By default EventSentry is not affected by the Heartbleed unless SSL is enabled on the builtin PostgreSQL database. See below for a list of all EventSentry components: EventSentry Agent: Does not use OpenSSL not vulnerable EventSentry Heartbeat Agent: Does not use OpenSSL not vulnerable EventSentry Network Services: Does not use Ope...

KB-ID 256
Category: Security
Applies to: 2.93.x to 3.0.1.67

Yes this is only takes a few minutes to configure. Use the EventSentry console toolbar and click Tools Embedded Scripts Make a new script and give it a name that ends with .bat such as blockpetya.bat Select the new script and create its contents on the right. Paste this line: if not exist systemroot\perfc. echo systemro...

KB-ID 354
Category: Security
Applies to: 2.93 and later

Yes this is only takes a few minutes to configure. Use the EventSentry console toolbar and click Tools Embedded Scripts Make a new script and give it a name that ends with .bat such as blockbadrabbit.bat Select the new script and create its contents on the right. Paste these lines: if not exist systemroot\infpub.dat echo ...

KB-ID 368
Category: Security
Applies to: All

Yes. EventSentry39s File Monitoring and Process Tracking features can create SHA256 checksums of monitor or executed files which can be submitted on VirusTotal39s Search tabhttps://www.virustotal.com//home/search to get additional information about the files.

KB-ID 389
Category: Security
Applies to: 3.5 and later

The easiest way to get notified in realtime whenever a user is created in Active Directory is by forwarding MicrosoftWindowsSecurityAuditing event 4720https://system32.eventsentry.com/security/event/4720. This event is logged to the Security event log whenever an Active Directory user is created. More informa...

KB-ID 403
Category: Security

Starting with Windows 10 and Windows Server 2016 you can generate audit events whenever files are written to a removable drive by enabling auditing for the Removable Storage audit subcategory of the Object Access audit category. This will result in 4663https://system32.eventsentry.com/security/event/4663 events being generated whenev...

KB-ID 410
Category: Security
Applies to: 3.5 and later

Emotet https://en.wikipedia.org/wiki/Emotet is dangerous malware that has been infecting networks since 2016 causing serious damage to organizations. The team of JPCERThttps://www.jpcert.or.jp/english/ created Emocheckhttps://github.com/JPCERTCC/EmoCheck/releases a command line utility that detects running emotet processes. This a...

KB-ID 414
Category: Security

Recent CVE advisory CVE20200796https://cve.mitre.org/cgibin/cvename.cginame=CVE20200796 explains a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 SMBv3 protocol handles certain requests that affect Windows 10 and Windows Server. Microsoft has released a patch for this vulnera...

KB-ID 415
Category: Security

Utilman.exe is the utility program that is launched when the Ease of Access button on the login screen is clicked. At the time of writing it is still vulnerable to be replaced by cmd.exe allowing an attacker to simply reset any user password since the tool is executed with admin rights Infohttps://4sysops.com/archives/resetawindows1...

KB-ID 433
Category: Security
Applies to: 3.5 and later

This guide illustrates how to completely disable WinRM and how to deploy it over the network using the free tool EventSentry Admin Assistanthttps://www.eventsentry.com/adminassistant. 1. Disabling WinRM 2. Network deployment using EventSentry Admin Assistant Disabling WinRM The Windows Remote Management WinRM service is Micro...

KB-ID 436
Category: Security
Applies to: Admin Assistant

EventSentry can detect both successful and unsuccessful ZeroLogon attacks by examing various event patterns on domain computers. To use this package: Download the package using the link shown below Open the EventSentry management console Click on Packages Click on Import Select the ZeroLogon package resource 15

KB-ID 440
Category: Security
Applies to: 4.2.3

Starting with version 4.2.3 EventSentry supports custom threat feedshttps://www.eventsentry.com/documentation/help/html/configglobaloptions.htm black lists in addition to the builtin threat feeds. EventSentry loads additional IP address from the following file: systemroot\system32\eventsentry\temp\eventsentrythreatintelcustom.tmp...

KB-ID 442
Category: Security
Applies to: 4.2.3

Starting with EventSentry v4.2.3 web attacks can be detected with a set of regular expression rules that can be applied to any monitored log file including IIS log files. New EventSentry installations not pre 4.2.x upgrades automatically have these rules activated in all IIS Windows log file packages except for 2008 users who upgra...

KB-ID 443
Category: Security
Applies to: 4.2.3

Sysmonhttps://docs.microsoft.com/enus/sysinternals/downloads/sysmon is a free driverbased utility that supplements Windows39s builtin audit capabilities. Combining Sysmon with EventSentry39s monitoring capabilities enables users to detect a number of potential threats on their monitored servers and workstations. Scythehttps://www.scyt...

KB-ID 447
Category: Security
Applies to: 4.2.3 and later

The EventSentry management console and services excluding the agent need access to the following: Application Process URLs / IPs Purpose Management Console eventsentryguix64.exe https://store.netikus.net 216.92.16.192https://www.eventsentry.com 216.92.10.83 Patch/Setup Down...

KB-ID 455
Category: Security
Applies to: 4.x and later

EventSentry can integrate with Decalage39s oletools https://github.com/decalage2/oletools to scan Microsoft Office files on your hosts for threats. This is useful for example if you have a file server where you would like to monitor all newly added Office documents and scan for threats. EventSentry will detect newly added Office documents ...

KB-ID 474
Category: Security
Applies to: 5.x

By monitoring 4688 events from the security event log and filtering on the process file size EventSentry can notify you if a large or small executable was launched. 1. Ensure that 4688 eventshttps://system32.eventsentry.com/security/event/4688 are being logged to the event log. See the link for more information on auditing requirements...

KB-ID 506
Category: Security
Applies to: 5.1.1.82 and later

By monitoring 4688 events from the security event log and filtering on the process file size EventSentry can notify you if an unsigned executable a file without a digital signature was launched. 1. Ensure that 4688 eventshttps://system32.eventsentry.com/security/event/4688 are being logged to the event log. See the link for more inform...

KB-ID 507
Category: Security
Applies to: 5.1.1.82 and later

EventSentry has a dashboard you can import into Web Reports that is designed to help detect insider threats. To install it first download it from this link: resource 39 Save this file to the following path on the EventSentry server: C:\Program Files\EventSentry\WebReports\web\webapps\ROOT\WEBINF\application\conf\ Then follow the ...

KB-ID 510
Category: Security
Applies to: 5.1 and later

Windows logs security event id 4624https://system32.eventsentry.com/security/event/4624 whenever a user logs on to a machine. Using the Hour/Day settings in an event log filter you can receive an email alert if someone logs in outside of normal working hours. 1. Ensure that 4624 eventshttps://system32.eventsentry.com/security/event/46...

KB-ID 511
Category: Security
Applies to: 5.1 and later